#!

###########################
# Firewall Settings Address
###########################
config firewall address
edit "host-mydomain1-albert.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server mydomain1-sg0e0"
set fqdn "albert.apple.com"
next
edit "host-mydomain1-ax.itunes.apple.com"
set type fqdn
set cache-ttl 1800
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set color 7
set fqdn "ax.itunes.apple.com"
next
edit "host-mydomain1-deimos3.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "deimos3.apple.com"
next
edit "host-mydomain1-download.windowsupdate.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "download.windowsupdate.com"
next
edit "host-mydomain1-gs.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "gs.apple.com"
next
edit "host-mydomain1-itunes.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "itunes.apple.com"
next
edit "host-mydomain1-metrics.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "metrics.apple.com"
next
edit "host-mydomain1-phobos.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "phobos.apple.com"
next
edit "host-mydomain1-phobos.apple.com.edgesuite.net"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "phobos.apple.com.edgesuite.net"
next
edit "host-mydomain1-swcdn.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swcdn.apple.com"
next
edit "host-mydomain1-swdownload.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swdownload.apple.com"
next
edit "host-mydomain1-swquery.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swquery.apple.com"
next
edit "host-mydomain1-swscan.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swscan.apple.com"
next
edit "host-mydomain1-update.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "update.microsoft.com"
next
edit "host-mydomain1-appldnld.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "appldnld.apple.com"
next
edit "host-mydomain1-www.msftncsi.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "www.msftncsi.com"
next
edit "host-mydomain1-windowsupdate.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "windowsupdate.microsoft.com"
next
edit "host-mydomain1-download.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "download.microsoft.com"
next
edit "host-mydomain1-test.stats.update.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "test.stats.update.microsoft.com"
next
edit "host-mydomain1-ntservicepack.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "ntservicepack.microsoft.com"
next
edit "host-mydomain1-au.download.windowsupdate.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "au.download.windowsupdate.com"
end
###########################
# Firewall Settings Group 
###########################
config firewall addrgrp
edit "gr-mydomain1-apple-itunes-appstore-server"
set member "host-mydomain1-albert.apple.com" "host-mydomain1-appldnld.apple.com" "host-mydomain1-ax.itunes.apple.com" "host-mydomain1-deimos3.apple.com" "host-mydomain1-gs.apple.com" "host-mydomain1-itunes.apple.com" "host-mydomain1-metrics.apple.com" "host-mydomain1-phobos.apple.com" "host-mydomain1-phobos.apple.com.edgesuite.net"
set comment "Group itunes appstoare update server mydomain1-sg0e0"
set color 7
next
edit "gr-mydomain1-mac-osx-update-server"
set member "host-mydomain1-swcdn.apple.com" "host-mydomain1-swdownload.apple.com" "host-mydomain1-swquery.apple.com" "host-mydomain1-swscan.apple.com"
set comment "Group mac os x update server mydomain1-sg0e0"
set color 7
next
edit "gr-mydomain1-fw-interface"
set member "fw-interface-mydomain1-1.1.1.1-32" "fw-interface-mydomain1-198.18.0.1-32" "fw-interface-mydomain1-198.18.2.1-32" "fw-interface-mydomain1-198.18.2.129-32"
set comment "Firewall interface ip mydomain1-sg0e0"
set color 1
next
edit "gr-mydomain1-windows-update-server"
set member "host-mydomain1-au.download.windowsupdate.com" "host-mydomain1-download.microsoft.com" "host-mydomain1-download.windowsupdate.com" "host-mydomain1-ntservicepack.microsoft.com" "host-mydomain1-test.stats.update.microsoft.com" "host-mydomain1-update.microsoft.com" "host-mydomain1-windowsupdate.microsoft.com" "host-mydomain1-www.msftncsi.com"
set comment "Group windows update server mydomain1-sg0e0"
set color 7
next
end
###########################
# Firewall Settings Deep-Inspection / SSL-SSH-Profile
###########################
config firewall ssl-ssh-profile
edit mydomain1-url-scan.local
set comment "Encrypted URL Scan Only default profile mydomain1.ch"
set server-cert-mode re-sign 
set caname Fortinet_CA_SSLProxy 
set certname Fortinet_CA_SSLProxy 
set ssl-invalid-server-cert-log enable
config ssl
set inspect-all disable
set allow-invalid-server-cert enable
set ssl-ca-list disable
end
config https
set ports 443
set status certificate-inspection 
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config ftps
set ports 990
set status disable
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config imaps
set ports 993
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config pop3s
set ports 995
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config smtps
set ports 465
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
end
config firewall ssl-ssh-profile
edit mydomain1-default.local
set comment "None Encrypted default profile mydomain1.ch"
set server-cert-mode re-sign 
set caname Fortinet_CA_SSLProxy 
set certname Fortinet_CA_SSLProxy 
set ssl-invalid-server-cert-log enable
config ssl
set inspect-all disable
set allow-invalid-server-cert enable
set ssl-ca-list disable
end
config https
set ports 443
set status disable 
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config ftps
set ports 990
set status disable
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config imaps
set ports 993
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config pop3s
set ports 995
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config smtps
set ports 465
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
end
###########################
# Firewall Settings Protocol Options
###########################
config firewall profile-protocol-options
edit "mydomain1-default.local"
set comment "Unencrypted default profile mydomain1.ch"
set oversize-log enable
set switching-protocols-log enable
config http
set ports 80    
set status enable     
set inspect-all disable     
set options clientcomfort     
set comfort-interval 10    
set comfort-amount 1    
set fortinet-bar disable     
set streaming-content-bypass enable     
set switching-protocols bypass     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable     
set block-page-status-code 200    
set retry-count 0
end
config ftp
set ports 21    
set status enable     
set inspect-all disable     
set options clientcomfort     
set comfort-interval 10    
set comfort-amount 1    
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable 
end
config imap
set ports 143    
set status enable     
set inspect-all disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable 
end
config mapi
set ports 135    
set status disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable
end
config pop3
set ports 110    
set status enable     
set inspect-all disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable
end
config smtp
set ports 25    
set status enable     
set inspect-all disable     
set options fragmail     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable     
set server-busy disable
end
config nntp
set ports 119    
set status disable     
set inspect-all disable     
set oversize-limit 10    
set uncompressed-oversize-limit 10    
set uncompressed-nest-limit 12    
set scan-bzip2 disable 
end
config dns
set ports 53    
set status enable 
end
config mail-signature
set status disable     
end
end
###########################
# Firewall DDoS Policy
###########################
config firewall DoS-policy
edit 1
set interface wan1
set srcaddr all
set dstaddr all
set service ALL
config anomaly
edit "tcp_syn_flood"
set status enable
set action block
set threshold 2000
next
edit "tcp_port_scan"
set status enable
set threshold 1000
next
edit "tcp_src_session"
set status enable
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set threshold 5000
next
edit "udp_flood"
set status enable
set action block
set threshold 2000
next
edit "udp_scan"
set status enable
set threshold 2000
next
edit "udp_src_session"
set status enable
set threshold 5000
next
edit "udp_dst_session"
set status enable
set threshold 5000
next
edit "icmp_flood"
set status enable
set action block
set threshold 250
next
edit "icmp_sweep"
set status enable
set threshold 100
next
edit "icmp_src_session"
set status enable
set threshold 300
next
edit "icmp_dst_session"
set status enable
set threshold 1000
next
edit "ip_src_session"
set threshold 5000
next
edit "ip_dst_session"
set threshold 5000
next
edit "sctp_flood"
set threshold 2000
next
edit "sctp_scan"
set threshold 1000
next
edit "sctp_src_session"
set threshold 5000
next
edit "sctp_dst_session"
set threshold 5000
next
end
next
end
###########################
# Firewall Traffic Shaper
###########################
config firewall shaper traffic-shaper
edit "mydomain1-high-priority.local"
set maximum-bandwidth 1048576
set per-policy enable
set priority high
next
edit "mydomain1-medium-priority.local"
set maximum-bandwidth 1048576
set per-policy enable
set priority medium
next
edit "mydomain1-low-priority.local"
set maximum-bandwidth 1048576
set per-policy enable
set priority low
next
edit "mydomain1-guarantee-100kbps.local"
set guaranteed-bandwidth 100
set maximum-bandwidth 1048576
set per-policy enable
next
edit "mydomain1-shared-1M-pipe.local"
set maximum-bandwidth 1024
next
end
###########################
# Firewall SSL Setting
###########################
#
# To increase DH (Diffie Hellman Bits) for global SSL
# use following settings (Default 1024).
#
#config firewall ssl settings
#set ssl-dh-bits [1024 | 1536 | 2048 | 768]
#end
#